packages/aops-apollo
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added the repair status of the cve fixed package

Browse Source
This commit is contained in:
gongzt 2023-09-20 09:16:32 +08:00
parent 583e86cf15
commit 37e765789c
8 changed files with 138 additions and 128 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
0001-fix-issue-gen-cve-task-failed.patch
View File

@ -1,28 +0,0 @@
From 614e6462e28c7ab013b669d7a7b2cc9c996a0a3f Mon Sep 17 00:00:00 2001
From: rabbitali <shusheng.wen@outlook.com>
Date: Wed, 28 Jun 2023 11:57:38 +0800
Subject: [PATCH 1/1] fix issue:gen cve task failed
---
apollo/database/proxy/task.py | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/apollo/database/proxy/task.py b/apollo/database/proxy/task.py
index dd172b8..ed5e858 100644
--- a/apollo/database/proxy/task.py
+++ b/apollo/database/proxy/task.py
@@ -3224,8 +3224,9 @@ class TaskProxy(TaskMysqlProxy, TaskEsProxy):
"""
try:
- exists_cve_count = self.session.query(CveHostAssociation).filter(
- CveHostAssociation.cve_id.in_(cve_id)).count()
+ exists_cve_count = self.session.query(CveHostAssociation.cve_id).filter(
+ CveHostAssociation.cve_id.in_(cve_id)).distinct().count()
+
return True if exists_cve_count == len(cve_id) else False
except SQLAlchemyError as error:
--
2.33.0

30
0001-fix-updateinfo_parse.py-bug.patch Normal file
View File

@ -0,0 +1,30 @@
From 68d4c8cad42960391998868f15e2f99b40daa216 Mon Sep 17 00:00:00 2001
From: wang-guangge <wangguangge@huawei.com>
Date: Tue, 19 Sep 2023 13:58:04 +0800
Subject: [PATCH] fix updateinfo_parse.py bug
---
hotpatch/updateinfo_parse.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hotpatch/updateinfo_parse.py b/hotpatch/updateinfo_parse.py
index 42e3814..7bfba61 100644
--- a/hotpatch/updateinfo_parse.py
+++ b/hotpatch/updateinfo_parse.py
@@ -279,12 +279,12 @@ class HotpatchUpdateInfo(object):
hotpatch(Hotpatch)
"""
hotpatch.state = self.UNRELATED
+ is_find_installable_hp = False
for required_pkg_name, required_pkg_vere in hotpatch.required_pkgs_info.items():
inst_pkgs = self._inst_pkgs_query.filter(name=required_pkg_name)
# check whether the relevant target required package is installed on this machine
if not inst_pkgs:
return
- is_find_installable_hp = False
for inst_pkg in inst_pkgs:
inst_pkg_vere = '%s-%s' % (inst_pkg.version, inst_pkg.release)
if not self.version.larger_than(required_pkg_vere, inst_pkg_vere):
--
2.33.0

67
0002-add-repair-status-of-the-cve-fixed-package.patch Normal file
View File

@ -0,0 +1,67 @@
From 7797ac40d715c9e7d56f1d6c0053b699c42c4ac2 Mon Sep 17 00:00:00 2001
From: gongzt <gong_zhengtang@163.com>
Date: Tue, 19 Sep 2023 18:45:38 +0800
Subject: Added the repair status of the cve fixed package
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
apollo/database/proxy/cve.py | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/apollo/database/proxy/cve.py b/apollo/database/proxy/cve.py
index 95de25c..c6d017e 100644
--- a/apollo/database/proxy/cve.py
+++ b/apollo/database/proxy/cve.py
@@ -1562,21 +1562,25 @@ class CveProxy(CveMysqlProxy, CveEsProxy):
cve_fixed_packages = (
self.session.query(
+ CveHostAssociation.id,
CveHostAssociation.installed_rpm,
CveHostAssociation.fixed_way,
func.count(CveHostAssociation.host_id).label("host_num"),
)
.filter(*filters)
- .group_by('installed_rpm', 'fixed_way')
+ .group_by('installed_rpm', 'fixed_way', 'id')
.all()
)
if not cve_fixed_packages:
return NO_DATA, []
+ cve_fixed_packages_status = (
+ self.session.query(CveHostAssociation.id, CveHostAssociation.hp_status).filter(*filters).all()
+ )
- return SUCCEED, self._cve_fixed_packages_row2dict(cve_fixed_packages)
+ return SUCCEED, self._cve_fixed_packages_row2dict(cve_fixed_packages, cve_fixed_packages_status)
@staticmethod
- def _cve_fixed_packages_row2dict(rows):
+ def _cve_fixed_packages_row2dict(rows, cve_fixed_packages_status):
"""
Fixed cve package row data converted to dictionary
Args:
@@ -1586,10 +1590,17 @@ class CveProxy(CveMysqlProxy, CveEsProxy):
list
"""
result = []
+ cve_fixed_packages_status_dict = {
+ cve_host_match.id: cve_host_match.hp_status for cve_host_match in cve_fixed_packages_status
+ }
for row in rows:
+ status = cve_fixed_packages_status_dict[row.id] if cve_fixed_packages_status_dict[row.id] else ""
+ fixed_way = row.fixed_way
+ if fixed_way != "coldpatch":
+ fixed_way = fixed_way + f" ({status})"
fixed_rpm = {
"installed_rpm": row.installed_rpm,
- "fixed_way": row.fixed_way,
+ "fixed_way": fixed_way,
"host_num": row.host_num,
}
result.append(fixed_rpm)
--
Gitee

65
0002-do-not-return-the-related-hotpatches-when-the-cve-is.patch
View File

@ -1,65 +0,0 @@
From 4225065c74beb5e66c4d66a4bd3dfca5bcac91bd Mon Sep 17 00:00:00 2001
From: wang-guangge <wangguangge@huawei.com>
Date: Wed, 28 Jun 2023 16:53:10 +0800
Subject: [PATCH] do not return the related hotpatches when the cve is fixed
---
hotpatch/hotpatch_updateinfo.py | 15 ++++++++++++---
hotpatch/hotupgrade.py | 2 +-
2 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/hotpatch/hotpatch_updateinfo.py b/hotpatch/hotpatch_updateinfo.py
index 4b39969..7dc92ce 100644
--- a/hotpatch/hotpatch_updateinfo.py
+++ b/hotpatch/hotpatch_updateinfo.py
@@ -291,7 +291,7 @@ class HotpatchUpdateInfo(object):
Get hotpatches from specified cve. If there are several hotpatches for the same source package for a cve, only return the
hotpatch with the highest version.
- Args:
+ Args:
cves: [cve_id_1, cve_id_2]
Returns:
@@ -307,14 +307,23 @@ class HotpatchUpdateInfo(object):
continue
# find the hotpatch with the highest version for the same source package
mapping_src_pkg_to_hotpatches = dict()
+ # check whether the cve is fixed
+ is_cve_fixed = False
for hotpatch in self.hotpatch_cves[cve_id].hotpatches:
+ if hotpatch.state == self.INSTALLED:
+ is_cve_fixed = True
if hotpatch.state == self.INSTALLABLE:
- mapping_src_pkg_to_hotpatches.setdefault(hotpatch.src_pkg, []).append([hotpatch.hotpatch_name, hotpatch])
+ mapping_src_pkg_to_hotpatches.setdefault(hotpatch.src_pkg, []).append(
+ [hotpatch.hotpatch_name, hotpatch]
+ )
+ # do not return the releated hotpatches if the cve is fixed
+ if is_cve_fixed:
+ continue
for src_pkg, hotpatches in mapping_src_pkg_to_hotpatches.items():
# extract the number in HPxxx and sort hotpatches in descending order according to the number
hotpatches = sorted(hotpatches, key=lambda x: int(re.findall("\d+", x[0])[0]), reverse=True)
mapping_cve_hotpatches[cve_id].append(hotpatches[0][1].nevra)
-
+
return mapping_cve_hotpatches
def get_hotpatches_from_advisories(self, advisories: list[str]) -> dict():
diff --git a/hotpatch/hotupgrade.py b/hotpatch/hotupgrade.py
index 2a36312..3bff9a1 100644
--- a/hotpatch/hotupgrade.py
+++ b/hotpatch/hotupgrade.py
@@ -251,7 +251,7 @@ class HotupgradeCommand(dnf.cli.Command):
cve_hp_dict = updateinfo.get_hotpatches_from_cve(cves)
for cve, hp in cve_hp_dict.items():
if not hp:
- logger.info(_("The cve's hot patch doesn't exist: %s"), cve)
+ logger.info(_("The cve doesn't exist or cannot be fixed by hotpatch: %s"), cve)
continue
hp_list += hp
return list(set(hp_list))
--
2.33.0

28
0003-update-condition-under-which-hotpatches-can-be-applied.patch
View File

@ -1,28 +0,0 @@
From 30a0f76f2150f27db79fedde3af4926b36954066 Mon Sep 17 00:00:00 2001
From: rabbitali <shusheng.wen@outlook.com>
Date: Fri, 30 Jun 2023 19:07:55 +0800
Subject: [PATCH] Update the condition under which hot patches can be applied
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
hotpatch/hotpatch_updateinfo.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hotpatch/hotpatch_updateinfo.py b/hotpatch/hotpatch_updateinfo.py
index 7dc92ce..3963867 100644
--- a/hotpatch/hotpatch_updateinfo.py
+++ b/hotpatch/hotpatch_updateinfo.py
@@ -212,7 +212,7 @@ class HotpatchUpdateInfo(object):
hp_vere = '%s-%s' % (src_pkg_version, src_pkg_release)
if hp_vere != inst_pkg_vere:
continue
- elif self._get_hotpatch_status_in_syscare(hotpatch) == 'ACTIVED':
+ elif self._get_hotpatch_status_in_syscare(hotpatch) in ('ACTIVED', "ACCEPTED"):
hotpatch.state = self.INSTALLED
else:
hotpatch.state = self.INSTALLABLE
--
2.33.0

BIN
aops-apollo-v1.2.2.tar.gz
View File

Binary file not shown.

BIN
aops-apollo-v1.3.2.tar.gz Normal file
View File

Binary file not shown.

48
aops-apollo.spec
View File

@ -1,13 +1,10 @@
Name: aops-apollo
Version: v1.2.2
Release: 4
Version: v1.3.2
Release: 3
Summary: Cve management service, monitor machine vulnerabilities and provide fix functions.
License: MulanPSL2
URL: https://gitee.com/openeuler/%{name}
Source0: %{name}-%{version}.tar.gz
Patch0001: 0001-fix-issue-gen-cve-task-failed.patch
Patch0002: 0002-do-not-return-the-related-hotpatches-when-the-cve-is.patch
Patch0003: 0003-update-condition-under-which-hotpatches-can-be-applied.patch
BuildRequires: python3-setuptools
@ -17,6 +14,8 @@ Requires: python3-sqlalchemy python3-PyMySQL python3-Flask-APScheduler >= 1.11
Requires: python3-PyYAML python3-flask python3-gevent
Requires: python3-retrying python3-lxml
Provides: aops-apollo
Patch0001: 0001-fix-updateinfo_parse.py-bug.patch
Patch0002: 0002-add-repair-status-of-the-cve-fixed-package.patch
%description
@ -50,6 +49,8 @@ popd
# install for aops-apollo
%py3_install
mkdir -p %{buildroot}/opt/aops/
cp -r database %{buildroot}/opt/aops/
# install for aops-apollo-tool
pushd aops-apollo-tool
@ -63,11 +64,12 @@ cp -r hotpatch %{buildroot}/%{python3_sitelib}/dnf-plugins/
%files
%doc README.*
%attr(0644,root,root) %{_sysconfdir}/aops/apollo.ini
%attr(0644,root,root) %{_sysconfdir}/aops/apollo_crontab.ini
%attr(0644,root,root) %{_sysconfdir}/aops/apollo_crontab.yml
%attr(0755,root,root) %{_bindir}/aops-apollo
%attr(0755,root,root) /usr/lib/systemd/system/aops-apollo.service
%{python3_sitelib}/aops_apollo*.egg-info
%{python3_sitelib}/aops_apollo*.egg-info/*
%{python3_sitelib}/apollo/*
%attr(0755, root, root) /opt/aops/database/*
%files -n dnf-hotpatch-plugin
%{python3_sitelib}/dnf-plugins/*
@ -79,6 +81,38 @@ cp -r hotpatch %{buildroot}/%{python3_sitelib}/dnf-plugins/
%{python3_sitelib}/aops_apollo_tool/*
%changelog
* Tue Sep 19 2023 gongzhengtang<gong_zhengtang@163.com> - v1.3.2-3
- added the repair status of the cve fixed package
* Tue Sep 19 2023 wangguangge<wangguangge@huawei.com> - v1.3.2-2
- fix the updateinfo_parse.py bug
* Tue Sep 19 2023 wenxin<shusheng.wen@outlook.com> - v1.3.2-1
- fix cve scan callback error
- fix cve-fix task generate error when it only contain coldpatches
- add a method to querying fixed cve info for dnf plugin
* Wed Sep 13 2023 zhuyuncheng<zhuyuncheng@huawei.com> -v1.3.1-5
- fix task_cve_host return all host bug
* Wed Sep 13 2023 gongzhengtang<gong_zhengtang@163.com> -v1.3.1-4
- fixed host ip addresses are not verified in the generation task
* Mon Sep 11 2023 gongzhengtang<gong_zhengtang@163.com> -v1.3.1-3
- fixed several known issues
- fix dnf hot-updateinfo list cves bug
- fixed an error generated after selecting a specific rpm package
* Tue Sep 5 2023 zhuyuncheng<zhuyuncheng@huawei.com> - v1.3.1-2
- fix bug: delete host id filter when rollback in cve list interface
* Tue Sep 5 2023 gongzhengtang<gong_zhengtang@163.com> - v1.3.1-1
- cve repair tasks support rpm packet granularity
* Tue Aug 29 2023 wangguangge<wangguangge@huawei.com> - v1.3.0-1
- update the dnf hot-updateinfo, dnf hotpatch and dnf hotupgrade command
- support the mixed management ability for coldpatches and hotpatches
* Fri Jun 30 2023 wenxin<shusheng.wen@outlook.com> - v1.2.2-4
- Update the condition under which hot patches can be applied